<div dir="ltr"><div id=":ed.ma" class="" style="font-family:Roboto,Arial,sans-serif;font-size:13px;line-height:16px;margin-bottom:6px;margin-left:9px;margin-right:9px;word-wrap:break-word;outline:none;color:rgb(38,50,56)">Hello there, </div><div id=":ed.ma" class="" style="font-family:Roboto,Arial,sans-serif;font-size:13px;line-height:16px;margin-bottom:6px;margin-left:9px;margin-right:9px;word-wrap:break-word;outline:none;color:rgb(38,50,56)"><br></div><div id=":ed.ma" class="" style="font-family:Roboto,Arial,sans-serif;font-size:13px;line-height:16px;margin-bottom:6px;margin-left:9px;margin-right:9px;word-wrap:break-word;outline:none;color:rgb(38,50,56)">Thanks for your your interest. The versions we use are:</div><div id=":ed.ma" class="" style="font-family:Roboto,Arial,sans-serif;font-size:13px;line-height:16px;margin-bottom:6px;margin-left:9px;margin-right:9px;word-wrap:break-word;outline:none;color:rgb(38,50,56)"><span class="" dir="ltr" style="outline:none"><br></span></div><div id=":ed.ma" class="" style="font-family:Roboto,Arial,sans-serif;font-size:13px;line-height:16px;margin-bottom:6px;margin-left:9px;margin-right:9px;word-wrap:break-word;outline:none;color:rgb(38,50,56)"><span id=":ed.co" class="" dir="ltr" style="outline:none">Squid Cache: Version 3.4.10</span></div><div id=":ee.ma" class="" style="font-family:Roboto,Arial,sans-serif;font-size:13px;line-height:16px;margin-bottom:6px;margin-left:9px;margin-right:9px;word-wrap:break-word;outline:none;color:rgb(38,50,56)"><div id=":ee.at" class="" style="text-align:center;outline:none"></div><span id=":ee.co" class="" dir="ltr" style="outline:none">OpenSSL 1.0.2h  3 May 2016</span></div><div id=":ef.ma" class="" style="font-family:Roboto,Arial,sans-serif;font-size:13px;line-height:16px;margin-bottom:6px;margin-left:9px;margin-right:9px;word-wrap:break-word;outline:none;color:rgb(38,50,56)"><div id=":ef.at" class="" style="text-align:center;outline:none"></div>----------</div><div id=":ef.ma" class="" style="font-family:Roboto,Arial,sans-serif;font-size:13px;line-height:16px;margin-bottom:6px;margin-left:9px;margin-right:9px;word-wrap:break-word;outline:none;color:rgb(38,50,56)">Configuration we use for https bumping:</div><div id=":eg.ma" class="" title="7/11/16, 10:14 AM" style="font-family:Roboto,Arial,sans-serif;font-size:13px;line-height:16px;margin-bottom:6px;margin-left:9px;margin-right:9px;word-wrap:break-word;outline:none;color:rgb(38,50,56)"><div id=":eg.at" class="" style="text-align:center;outline:none"></div><span id=":eg.co" class="" dir="ltr" style="outline:none">always_direct allow all<br style="outline:none">ssl_bump none localhost<br style="outline:none">ssl_bump server-first all<br style="outline:none"><br style="outline:none">sslproxy_cert_error allow all<br style="outline:none">sslproxy_flags DONT_VERIFY_PEER</span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Jul 10, 2016 at 5:12 PM, Eliezer Croitoru <span dir="ltr"><<a href="mailto:eliezer@ngtech.co.il" target="_blank">eliezer@ngtech.co.il</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Hey,<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">What version of squid is provided on pfsense and what version are you using?<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Eliezer<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial Rounded MT Bold","sans-serif";color:#1f497d">----<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial Rounded MT Bold","sans-serif";color:#1f497d"><a href="http://ngtech.co.il/lmgtfy/" target="_blank"><span style="color:#0563c1">Eliezer Croitoru</span></a><br>Linux System Administrator<br>Mobile: +972-5-28704261<br>Email: <a href="mailto:eliezer@ngtech.co.il" target="_blank">eliezer@ngtech.co.il</a><u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><img border="0" width="183" height="69" src="cid:image001.png@01D1DACE.40E36EA0"><u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> squid-users [mailto:<a href="mailto:squid-users-bounces@lists.squid-cache.org" target="_blank">squid-users-bounces@lists.squid-cache.org</a>] <b>On Behalf Of </b>Yi?itcan U?UM<br><b>Sent:</b> Sunday, July 10, 2016 3:49 PM<br><b>To:</b> <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br><b>Subject:</b> [squid-users] HTTPS bump doesn't work with websites that require SNI<u></u><u></u></span></p><div><div class="h5"><p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal"><span style="font-size:9.5pt">Hello there. We're using pfsense and squid-proxy to bump https connections between some of our machines and www. The setup seems to works fine for most of the https sites, but it doesn't work for the others.</span><u></u><u></u></p><div><p class="MsoNormal"><span style="font-size:9.5pt"><u></u> <u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:9.5pt">One example to this sites is "<a href="http://docs.docker.com/" target="_blank">docs.docker.com</a>". Even though we can connect to "<a href="http://docker.com/" target="_blank">docker.com</a>", we can't connect to "<a href="http://docs.docker.com/" target="_blank">docs.docker.com</a>".<u></u><u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:9.5pt"><u></u> <u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:9.5pt">The error we get is:<u></u><u></u></span></p></div><div><pre style="white-space:pre-wrap"><span style="font-size:9.0pt;font-family:"Arial","sans-serif";color:#1e1e1e">(92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)<u></u><u></u></span></pre><p><span style="font-size:9.0pt;font-family:"Verdana","sans-serif";color:#1e1e1e">Handshake with SSL server failed: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure<u></u><u></u></span></p><p><span style="font-size:9.0pt;font-family:"Verdana","sans-serif";color:#1e1e1e">Upon further investigation we found out that this happens because some sites require SNI to supply correct SSL certificate.<u></u><u></u></span></p><p><span style="font-size:9.0pt;font-family:"Verdana","sans-serif";color:#1e1e1e">You can test this out with:<u></u><u></u></span></p><p><span style="font-size:9.0pt;font-family:"Verdana","sans-serif";color:#1e1e1e">-------------------------------<u></u><u></u></span></p><p><span style="font-size:9.0pt;font-family:"Verdana","sans-serif";color:#1e1e1e">openssl s_client -connect <a href="http://docs.docker.com:443/" target="_blank">docs.docker.com:443</a> -> ERROR<u></u><u></u></span></p><p><span style="font-size:9.0pt;font-family:"Verdana","sans-serif";color:#1e1e1e">140612823746464:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:744:</span><span style="font-size:9.5pt"><u></u><u></u></span></p><p><span style="font-size:9.0pt;font-family:"Verdana","sans-serif";color:#1e1e1e">-------------------------------</span><span style="font-size:9.5pt"><u></u><u></u></span></p><p><span style="font-size:9.0pt;font-family:"Verdana","sans-serif";color:#1e1e1e">openssl s_client -connect <a href="http://docs.docker.com:443/" target="_blank">docs.docker.com:443</a> -servername <a href="http://docs.docker.com/" target="_blank">docs.docker.com</a> -> Works<u></u><u></u></span></p><p><span style="font-size:9.0pt;font-family:"Verdana","sans-serif";color:#1e1e1e">--------------------------------<u></u><u></u></span></p><p><span style="font-size:9.0pt;font-family:"Verdana","sans-serif";color:#1e1e1e">Squid seems to make https request without the SNI. How can we configure Squid to use SNI? Thanks.<u></u><u></u></span></p></div></div></div></div></div></div></blockquote></div><br></div>